Attribute-Based Access Control

Attribute-Based Access Control (ABAC) is a BrickStor SP feature that provides a fine-grained authorization mechanism to control access based on user-defined attributes. Attributes are essentially tags that are provided by policy engine software, such as Sentris, and assigned to a file or directory object. Attributes persist as the object is moved around the dataset. ABAC does not replace traditional ACLs, but rather complements them as an additional layer of security.

On BrickStor SP, authorization occurs in two stages. First, the system applies standard ACLs to determine whether a user is authorized to access a directory or file object. If this check fails, access is denied immediately. If it succeeds and ABAC is enabled on the dataset, BrickStor SP applies an additional layer of authorization.

During ABAC authorization, the BrickStor SP evaluates the required attributes against those provided by the policy engine. Access is granted only when all required attributes are satisfied; if any required attribute is missing or fails evaluation, access is denied.

Applications may refer to these attributes as labels, markings, or caveats depending on the policy engine.

Label Inheritance

BrickStor SP offers an optional functionality called Label Inheritance to enable files placed into or created in a directory to automatically have attributes applied without requiring the client or user to manually label or mark the file. Only newly added files to the directory after Label Inheritance is properly enabled will be automatically labeled (existing files will not be labeled). By default, a new subfolder will create the .abac.default file with the same labels applied. Using the labeling or attribute marking software associated with the policy engine will allow you to mark the .abac.default file with the desired attributes. Users can mark .abac.default in subdirectories with a different set of attributes to have the new files in the subdirectory have different attributes applied than the parent directory.

To configure Label Inheritance on an existing dataset, follow the steps below:

  1. Connect to the SMB share from a workstation with the policy engine software installed.

  2. Create a file named .abac.default and place it in the directory of interest.

  3. Using the policy engine software, set the desired attributes on the .abac.default file.

  4. Navigate to the Dataset Settings Page.

  5. Click on the path of the desired dataset to navigate to the settings page of that dataset.

  6. Click Configure.

  7. If necessary, toggle the ABAC switch to enabled.

  8. Toggle the Label Inheritance switch to enabled.

  9. Click Save Changes.

Configuring policy engine

The ABAC page will not appear on the navigation side menu until the ABAC feature has been enabled on a dataset.

Sentris 4

To get started with ABAC using Sentris 4 as the policy engine for BrickStor SP, do the following. Firstly, setup the required Sentris infrastructure and configuring API access. Next, using BrickStor SP add new ABAC provider using the API access key and lastly, enable ABAC on a dataset.

  1. Setup Sentris infrastructure

    1. Install custom Sentris 4 API service (provided by integrator).

    2. Enable SSL and Authentication for site.

    3. Add a user for the API; this is managed through Windows users and Microsoft’s Internet Integration Service (IIS).

  2. Create a SMB share with ABAC enabled.

  3. Add an ABAC provider.

    1. Navigate to the ABAC page.

    2. Click Add in the ABAC Providers section.

    3. Select a Type.

    4. Enter the URL of the ABAC server.

    5. Enter the User and Password for the ABAC server administrator.

    6. Toggle the Ignore Certificates Errors switch if no authorized certificate is available. See certificates for more information.

    7. Click Add.

      ABAC providers can also be added during the dataset creation.

  4. From a Windows client with the Sentris 4 client software installed, mount the ABAC-enabled SMB share.

Sentris 5

To get started with ABAC using Sentris 5 as the policy engine for BrickStor SP, do the following. Firstly, setup the required Sentris infrastructure and configuring API access. Next, using BrickStor SP add new ABAC provider using the API access key and lastly, enable ABAC on a dataset.

  1. Setup Sentris 5 infrastructure

    1. Add a user for the API (see Sentris documentation).

    2. Note the API IP address, port, username, and password.

    3. Create Sentris users for data access (see Sentris documentation).

  2. Create a SMB share with ABAC enabled.

  3. Add an ABAC provider.

    1. Navigate to the ABAC page.

    2. Click Add in the ABAC Providers section.

    3. Select a Type.

    4. Enter the URL of the ABAC server.

    5. Enter the User and Password for the ABAC server administrator.

    6. Toggle the Ignore Certificates Errors switch if no authorized certificate is available. See certificates for more information.

    7. Click Add.

      ABAC providers can also be added during the dataset creation.

  4. From a Windows client with the Sentris client software installed, mount the ABAC-enabled SMB share.

After the above steps have been completed, the ABAC feature is ready for use on the BrickStor SP.